mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-25 10:19:47 +00:00
Code Issues Releases Wiki Activity

NFSv4: Check for buffer length in __nfs4_get_acl_uncached

Browse source 
Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in
__nfs4_get_acl_uncached" accidently dropped the checking for too small
result buffer length.

If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.

Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
Sven Wegener 2012-12-08 15:30:18 +01:00 committed by Trond Myklebust
parent 4c10021008
commit 7d3e91a89b
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
fs/nfs/nfs4proc.c
View file

@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
goto out_free;
}
nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);
if (buf)
if (buf) {
if (res.acl_len > buflen) {
ret = -ERANGE;
goto out_free;
}
_copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);
}
out_ok:
ret = res.acl_len;
out_free: